Crypto Theft Rose in 2022 as Scam, Ransomware Bounty Fell: Chainalysis
The volume of crime-related transactions rose for the second consecutive year, reaching a record high of $20.6 billion, blockchain analytics firm Chainalysis says in its new Crypto Crime Report. But it is a small share of the total volume of the crypto market: less than 1%.
2022 became the biggest year for crypto thieves. According to Chainalysis, around $3.8 billion, more than any other year, was stolen from various services and protocols, of which $775.7 million was stolen in October alone. At the same time, the total income of fraudsters and ransom hackers decreased, the report states.
82.1% of all the stolen funds were obtained from DeFi protocols, specifically cross-chain bridges – protocols that allow users to trade assets between two different blockchains. “Bridges are an attractive target for hackers because the smart contracts effectively become vast, centralized repositories of funds that support the assets that have been connected to the new chain – a more desirable honeypot could hardly be imagined,” the report said.
A growing trend in DeFi hacking is oracle manipulation, when an attacker compromises the mechanisms that allow a decentralized protocol to obtain a price for traded assets, creating favorable conditions for fast and super-profitable trades, says Chainalysis. According to the report, in 2022 DeFi protocols lost $386.2 million in 41 separate oracle manipulation attacks.
An example of this is a Mango Markets exploit, for which the alleged attacker, Avraham Eisenberg, was arrested and now faces charges of manipulation of goods in a US court.
North Korean hackers from the Lazarus group broke their own record in 2022: $1.7 billion stolen from multiple victims. Most of the money was sent to decentralized exchanges and several mixers: Tornado Cash, Blender.io, and, after the shutdown of Blender, to Sinbad. Sinbad may have been launched by the same team that ran Blender, blockchain intel firm Elliptic previously said.
That could be one major bias to the overall illicit transaction statistics: 43% of all illicit transaction volume in 2022 came from activity linked to sanctioned entities, Chainalysis said.
A large part of these illegal money flows are funds received by the sanctioned entity Garantex, which are likely just “Russian users using a Russian exchange,” Chainalysis said, but most compliance professionals treat these transactions as illegal activity anyway, it adds .
In 2022, the US sanctioned the Russian darknet marketplace Hydra, the exchange Garantex, the crypto mixers Blender.io and Tornado Cash. Not all the money these sanctioned services processed was of criminal origin: only 6.1% of the funds Garantex received came from illegal sources (still 20 times more than centralized exchanges on average), and for Tornado Cash the figure is 34%, according to Kjedeanalysis.
Sanctions severely curtailed the flow of funds into Tornado Cash, but Garantex remained as active as it used to be, seeing even more incoming funds from known scams and darknet stores, Chainalysis said.
Sanctions also seem to reduce their popularity with mixers: in 2022, $7.8 billion in crypto passed through mixers, compared to $11.5 billion in 2021. The US Office of Foreign Assets Control (OFAC) sanctioned mixers Tornado Cash and Blender .io last year because both services had been actively used by the North Korean hacker group Lazarus.
Crypto infrastructure remains open to ransomware hackers, as they most often send extorted money to centralized crypto exchanges, Chainlaysis said. The centralized exchanges, despite the intensified attention of law enforcement agencies around the world in recent years, remain the main recipients of criminal funds, Chainalysis said.
However, hackers who steal crypto from exchanges and other entities prefer DeFi platforms for money laundering, especially when the DeFi protocols themselves are victims, the report says: “In DeFi hacks, attackers often end up with tokens that are not listed on other exchanges, so they have to use decentralized exchanges (DEXs) to exchange them for more liquid cryptoassets.”
Other cybercriminals typically use darknet platforms, mixers and centralized exchanges with weak Know Your Customer (KYC) protections, such as Bitzlato, which had its founder and some other employees arrested in January.
The report takes a closer look at a particular case of a ransomware strain, Deadbolt, which was active in 2022. Unlike the most notorious ransomware groups like Conti, which attacked large organizations for large ransoms, Deadbolt operators chose to target small businesses and individuals, and in 2022 received over $2.3 million from about 4,923 victims, who paid an average of about $476 each.
A twist here is the way this group sent decryption keys to its ransom-paying victims: When a victim sent a bitcoin transaction to Deadbolt’s address, another transaction would be triggered automatically, sending back a meager amount of bitcoin (around $1) with the decryption key written into the OP-RETURN field of the transaction data.
This mechanism helped the Royal Dutch Police, which investigated the group, obtain decryption keys for a dozen victims without parting with their money: The police sent payout transactions to the hackers, but as soon as they received the key, they reversed the payouts using replace- the by-fee mechanism.
Replace-for-fee allows the replacement of the already initiated transaction in the Bitcoin blockchain with a new one with a higher fee, so that the miners will include a more profitable transaction in the blockchain and the first one will be invalidated as the bitcoin has already been spent.
